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(57) A method is described for substantially con- 
currently perfomiing entity authentication oper- 
ations and short-lived secret key distribution 
operations over an insecure communication 
channel between communication partners, 
wherein authenticity of communication 
partners is determined by possession of the 
long-lived shared secret key. The method in- 
cludes a number of steps. Data flows are 
exchanged between the communication 
partners to define a composite key. At least a 
portion of the data flows have been encrypted 
or otherwise masked in a manner which utilizes 
the long-lived shared secret key. At least one 
authentication tag is passed between communi- 
cation partners over the communication chan- 
nel. The at least one authentication tag is based 
at least partially upon the composite key. The 
authentication tag is utilized to detenmine the 
authenticity of at least one communication 
partner. 
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The present invention relates in general to secur- 
ity in data proc ssing systems and, more particularly, 
to techniques for verifying the identity of communica- 
tion partners and distributing session keys among 
communication partners therein. 

With the increased utilization of distributed data 
processing systems to share and communicate sen- 
sitive and confidential information, the computing and 
related industries are paying significantly increased 
attention to improving and refining known techniques 
for securing data which is communicated over inse- 
cure communication channels such as telephone 
lines and electromagnetic-based communication 
systems such as cellular networks. 

Three long standing industry goals exist. First, it 
is important that the particular communication part- 
ners in a distributed data processing system be able 
to authenticate the identity of other communication 
partners within the distributed data processing sys- 
tem. Commonly, this entity authentication require- 
ment is met by depositing a long-lived and shared se- 
cret key at two or more communication nodes in the 
data processing system. For example, a user may 
possess a secret password which is also known by a 
host computer within the data processing system. 
When authentication is desired, a protocol is execut- 
ed which, based on this shared secret, serves to au- 
thenticate one party to the other, or each party to the 
other . For example, the long-lived and shared secret 
key can be utilized in a conventional encryption op- 
eration such as a DES encryption. Most commonly, 
the communication partner desiring authentication of 
another partner directs a "challenge" to the other part- 
ner which is in the form of a random bit stream. The 
partner for which authentication is sought typically 
performs an encryption operation upon the challenge 
bit stream utilizing the long-lived and shared secret 
key, and then passes this data back to the challenging 
party. This data is decrypted to determine whether 
the responding party has possession or knowledge of 
the long-lived and shared secret key. or the challeng- 
er utilizes an encryption engine to generate the re- 
sponse he or she is seeking, and then compress the 
response to the correct answer. This operation may 
be performed unilaterally or bilaterally. In a unilateral 
operation, one party obtains authentication of the 
identity of another party within the distributed data 
processing system. In a bilateral entity authentication 
procedure, both parties typically issue a "challenge" 
to the other party, which must be responded to prop- 
erly before communication can be allowed between 
the communication nodes. 

The second broad goal of the industry is to pro- 
vide techniques for generating and distributing short- 
lived and secret session keys which are shared by two 
or more communication partners in a distributed data 
processing system after authentication of the various 
communication partners has been obtained. In accor- 



dance with the present invention, the distribution of 
the short-lived and secret session key is tightly cou- 
pled with the entity authentication operations. The 
utilization of a session key ensures that the long-lived 

5 and shared secret key need not be used more often 
than is absolutely necessary, and it is further useful 
to guard against "replay attacks" across the commu- 
nication sessions which communicating partners may 
engage in. Typically, the long-lived and shared secret 

10 key is utilized only during entity authentication oper- 
ations. Immediately after authentication of the com- 
municating parties is obtained, the short-lived and se- 
cret session key is distributed and utilized to allow 
communication back and forth between the parties in 

15 that particular session, to be authenticated, encrypt- 
ed, or both. 

The third broad industry goal is that of assuring 
a communicating party which has received data over 
an insecure line that the data has not been modified 

20 in transit. Often, such message authentication is ach- 
ieved by having the originating party compute a short 
"authentication tag" as a function of the message be- 
ing transmitted and the secret key shared by the com- 
municating partners. This authentication tag is typi- 

25 cally appended to the data stream which is being 
communicated between the parties. Upon receipt of 
the data stream and authentication tag, the receiving 
party analyzes the authentication tag by performing 
the same operations which were performed upon the 

30 data set by the sending party to generate its own au- 
thentication tag. If the sender's authentication tag 
matches identically the receiver's authenticated tag. 
then the recipient of the data can be assured that the 
data has not been altered in any way. This type of pro- 

35 tection prevents an active adversary from entering 
the insecure communication channel and meddling 
with the data. 

In devising security systems for allowing secure 
communication between communication partners, it 

40 is generally assumed that an adversary may be (1) 
passive and perform eavesdropping operations to 
monitor and record all communications between the 
parties in the distributed data processing system, or 
(2) active and actually participate in communications 

45 within the distributed data processing system by re- 
questing access to data or resources and issuing or 
responding to authentication challenges. The capa- 
bilities of an active adversary are taken to include all 
those of a passive one. One type of adversarial attack 

50 which is contemplated is that of an initial passive per- 
iod of monitoring and recording activities, followed by 
a period of off-line analysis and manipulation of the 
data obtained during monitoring activities, followed by 
a brief interval of activity wherein access to data and 

55 data processing resourc s is r quest d. Alternative- 
ly, the adversary may merely engag in passive mon- 
itoring and recording activities followed by analysis 
and attempts to crypto analyze portions of the data. 
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particularly in an attempt to recover the session key, 
which Is then utilized to decrypt any encrypted data 
which was transmitted between the parties and re- 
corded by the adversary. 

Since it is more difficult to detect a passive adver- 
sary, who only monitors, records, and then later per- 
forms off-line analysis, than an active adversary who 
is forced to interact with one or more authorized com- 
munication parties, adversaries favor a passive mode 
of attack. A still more significant reason off-line ana- 
lysis is preferred by an adversary is the bandwidth 
limitations present in the communication channel: the 
adversary can only speak to partners at the rate 
which is defined and allowed by the system architec- 
ture; but off-line analysis can be performed at the rate 
of the adversary's computing resources. Thus, it is 
especially important to provide data security systems 
which prevent an adversary from gathering useful 
data during passive activities. It is especially impor- 
tant that security systems be designed to prevent a 
compromise of the long-lived and secret shared key 
as well as any short-lived and secret session keys 
which may have been utilized. It is especially impor- 
tant that the security system prevent the passive ad- 
versary from correctly guessing the long-lived or 
short-lived keys during off-line analysis, and then 
confirming the veracity of the guess during off-line 
activities. It is important that the adversary be forced 
to actively engage one or more communication par- 
ties in order to confirm the accuracy of a correctly 
guessed key. This type of protection is identified as 
"security against off-line attack", and can be best un- 
derstood with respect to the specific example of one 
type of off-line attack, which is known as a "dictionary 
attack", which will be discussed here below. 

Dictionary attacks are effective because the 
long-lived key used for the entity authentication is 
based on a user's password and these passwords are 
often chosen poorly. Many data processing systems 
allow the human operators to select their own pass- 
words. Of course, the humans select familiar words 
typically, in order to be better able to remember the 
pass word in the future. Is not uncommon for users to 
use proper names or common nouns or verbs as 
passwords. Since human language is a fairly small 
and static set. it is possible for a passive adversary to 
iterativety guess the candidate of one or more partic- 
ular languages and then see if such guess ^'explains" 
the transcript recorded in an earlier session during 
eavesdropping activity. When a match is identified, 
the correct password is typically recovered as is any 
short-lived key whose distribution had been based on 
this password. Of course, this type of off-line attack 
can be computationally demanding if the size f the 
dictionary is very large, but the significant advances 
which are continually being made in processing 
speed and power make such off-line attacks practical 
even if the dictionary contains many millions of 



words. 

This invention is directed to the provision of a se- 
curity system which is less susceptible to off-line at- 
tacks, such as a dictionary attack. 

5 Accordingly, the invention provides a method for 

authenticating a communication partner in an inse- 
cure communication channel in a data processing 
system wherein authenticity of communication part- 
ners is determined by possession of a long-lived 

10 shared secret key, comprising the method steps of: 
(a) exchanging data flows between communication 
partners, to define a composite key, wherein at least 
a portion of said data flows has been encrypted or 
otherwise masked in a manner which utilizes said 

15 long-lived shared secret key; (b) passing at least one 
authentication tag, which is based at least partially 
upon said composite key, between said communica- 
tion partners: and (c) utilizing said authentication tag 
to determine authenticity of at least one communica- 

20 tion partner. 

In this way an adversary is forced to to test the 
accuracy of each guess of a candidate key interac- 
tively with one or more communication parties, the 
number of communication flows which must pass be- 

25 tween communicating parties during entity authenti- 
cation operations and key distributions can be mini- 
mised and is less reliant on encryption and decryp- 
tion operations than existing prior art security sys- 
tems, and which is much more reliant upon trans- 

30 forms, such as message authentication codes and 
encryption hash functions, which are applied to a 
plurality of parameters including the long-lived and 
secret shared key, or its derivatives, in order to max- 
imize system security. 

35 In a preferred embodiment one or more compu- 

tationally irreversible transforms which are applied to 
a plurality of parameters, including the long-lived and 
secret shared key or its derivatives, to accomplish en- 
tity authentication, in lieu of the more conventional 

40 utilization of encryption techniques such as the DES 
algorithm. In the preferred embodiment, this type of 
authentication-tag-based entity authentication is util- 
ized in combination with an exponential key ex- 
change. The present technique can be utilized to per- 

45 form unilateral or multilateral authentication, involv- 
ing two parties or three parties. 

In a particular embodiment a method is provided 
for authenticating a communication partner an inse- 
cure communication channel, wherein the authentici- 

50 ty of a communication partner is determined by pos- 
session of a long-lived shared secret key. The method 
includes a number of steps. First, a "composite key" 
is exchanged in data flows between communication 
partners, wherein at I ast a portion of the data fl ws 

55 has been encrypted or otherwise masked in a manner 
which utilizes the long-lived shared seer t key. Next, 
at least one authentication tag is passed between 
communication partners, with the at least one authen- 
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ttcation tag being based at least partially upon the 
connposite key. Finally, the authentication tag is util- 
ized by at least one communication partner to deter- 
mine authenticity of another communication partner. 
In the preferred embodiment of the present invention, 5 
the at least one authentication tag is defined by a 
transform which includes at least one of (1) a mes- 
sage authentication code which is keyed by said long- 
lived shared secret key and taken over a plurality of 
parameters. (2) a cryptographic hash function taken io 
over the long-lived shared secret key and a plurality 
of other parameters, and (3) the encryption or mes- 
sage authentication code keyed by said long-lived 
key and taken over the cryptographic hash of a plur- 
ality of parameters. In one particular embodiment of 15 
the present invention, wherein mutual authentication 
is desired between first and second parties, the par- 
ties first exchange portions of a composite key using 
a conventional secret key exchange, except that 
some or all of the flows of this exchange are encrypt- 20 
ed, as is described in U.S.-A-4,241,599 to Bellovin et 
aL Then, first and second authentication tags are ex- 
changed between the first and second communica- 
tion parties. The authentication tags are analyzed to 
perform an entity authentication of the first and sec- 25 
ond communication partners. In one specific embodi- 
ment of the present Invention, at least one of the first 
and second authentication tags is communicated be- 
tween the first and second communication partners 
along with at least a portion of the composite session jo 
key, in order to minimize the number of communica- 
tion flows between the first and second communica- 
tion partners. In particular embodiments of the pres- 
nt invention, the authentication tags are generated 
by applying a hash function to a plurality of parame- 35 
ters, which include the newly-distributed session key, 
and then using as the authentication tag a prefix of 
this hash function. 

Viewed from another aspect, the invention pro- 
vides apparatus for authenticating a communication 40 
partner in an insecure communication channel in a 
data processing system wherein authenticity of com- 
munication partners is determined by possession of 
a long-lived shared secret key, comprising: (a) means 
for exchanging data flows between communication 45 
partners, to define a composite key. wherein at least 
a portion of said data flows has been encrypted or 
otherwise masked in a manner which utilizes said 
long-lived shared secret key; (b) means for passing at 
least one authentication tag, which is based at least so 
partially upon said composite key, between said conv 
munication partners; and (c) means for utilizing said 
authentication tag to determine authenticity of at least 
one communication partner. 

While the present invention is described with ref- 55 
erence to one principal commercial application in dis- 
tributed data processing systems, it is clear that the 
present invention is of general applicability and can 



be utilized to communicate messages in any conceiv- 
able communication channel, and that it is particular- 
ly useful for secret telecommunications. 

The invention will better be understood by refer- 
ence to the following detailed description of an illus- 
trative embodiment when read in conjunction with the 
accompanying drawings, wherein: 

Figure 1 depicts a prior art two-party, message 

authentication; 

Figure 2 depicts a prior art conventional key ex- 
change, exponential key exchange, such as the 
Diff ie-Hellman key exchange; 
Figure 3 depicts a prior art key exchange in ac- 
cordance with the teachings of Bellovin and Mer- 
ritt; 

Figure 4 depicts a two-party, mutual authentica- 
tion operation in one embodiment of the inven- 
tion; 

Figure 5 depicts a distributed data processing 
system which can be programmed to perform an 
authentication operation. 

Figures 1 , 2, and 3 provide views of prior art tech- 
niques for securing the communication of data. An un- 
derstanding of these prior art techniques will facilitate 
an understanding of the preferred embodiments of 
the present invention which are depicted in Figures 
4 and 5. 

In Figure 1, a prior art three-pass message au- 
thentication technique is depicted As is shown, A and 
B are the communication partners, which share a 
long-lived and shared secret key a. Communication 
partners A and B communicate over an insecure com- 
munication channel. Three data flows are depicted in 
Figure 1, The first data flow is from communication 
partner A to communication partner B, and includes 
a random bit string Ra which represents an entity au- 
thentication challenge. The first flow also includes an 
arbitrary text string Text1. Communication partner B 
responds to the first communication flow by directing 
to communication partner A a random bit string chal- 
lenge Rb an arbitrary text string Text2, and a bit string 
which is the result of a transform h\ which is keyed 
with the long-lived and shared secret key a, and taken 
over a plurality of further data items including an iden- 
tification of communication partners A, B, the au- 
thentication challenges Ra, Rb» which have been gen- 
erated by the communication partners A, B, and 
Text2, 

Since communication partner A possesses the 
long-lived and shared secret key a. then she can util- 
ize the authentication challenge Rb from communica- 
tion partner B to generate a bii stream which is iden- 
tical (if the second flow is computed correctly and re- 
ceived as it is transmitted) to that provided by conr>- 
munication partner B as a result of utilization of trans- 
form h.^ At the end of communication flow 2, commu- 
nication partner A can be certain that communication 
partner B is ''authentic*', since possession of the long- 
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lived and shared secret key is required for communi- 
cation partner B to generate a bit stream through the 
utilization of transform h,^ which is identical to that 
generated by communication partner A. 

In the third communication flow, communication 
partner A directs Texts, and the result of the applica- 
tion of transform h,* to the authentication challenge 
Rb and Text3. Communication partner B can utilize 
th long-lived and shared secret key a. the authenti- 
cation challenge Rb. Text3, and transform to gen- 
erate a bit stream which is compared to that provided 
by communication partner A. If the bit streams are 
identical* then communication partner B can be cer- 
tain that communication partner A is "authentic". The 
techniques depicted in Figure 1 are more fully dis- 
cussed in a publication by M. Bellare and P. Rogaway, 
entitled "Entity Authentication and Key Distribution", 
published in The Proceeding of Crypto '93. by Spring- 
er-Verlag. which is incorporated here fully as it set 
forth herein. Basically, in the technique of Figure 1, 
conventional entity authentication challenging tech- 
niques are combined with conventional message au- 
thentication techniques. 

Figure 2 depicts a conventional key exchange in 
accordance with the teachings of W. Diffie, and M. 
Hellman, in an article entitled "New Directions in 
Cryptography", IEEE Transactions On Information 
Theory, IT-22. No. 6. 1976, which is incorporated 
herein as if fully set forth. This technique may be iden- 
tified specifically as a Diff ie-Hellman key exchange. 
The purpose of this technique is to publicly exchange 
information that can be combined to generate a 
shared secret key which can be utilized for particular 
communication sessions. In accordance with this pro- 
tocol) communication partner A directs to communi- 
cation partner B a bit stream which is generated by 
expotentiating a publicly-known base g to a secretly 
selected power u, selected from a publically-known 
group such as the multiplicative group K/lodulo a fixed 
prime number p. Communication partner B responds 
in communication flow 2 by directing to communica- 
tion partner A a bit stream which is generated by ex- 
potentiating a publically-known base g to a secretly 
selected power p. selected from the same publically- 
known group from which a was selected. The shared 
s cret a is generated by utilization of the information 
passed between communication partners A, B in the 
two communication flows. As is shown in Figure 2. 
the shared secret a is a function of a transform H| as 
applied to the exponential product of g" and gP. Pre- 
ferably, the values for a, and p are randomly selected 
by communication partners A, B from a predefined 
set of integers. 

The Diff ie-Hellman key exchange is useful only 
over communication channels which may be subject 
to passive adversaries, but not communication chan- 
nels which are not subject to active adversaries. In 
oth r words, if the communication channel is sus- 



ceptible to interaction by the adversary, then the Dif- 
f ie-Hellman key exchange protocol is not very useful, 
since the adversary can pose as either communica- 
tion partnerA or communication partner B and initiate 
5 the generation of a shared secret, which can then be 
utilized to obtain information from an authorized par- 
ty. 

Conventional key exchange techniques like that 
of the Diffie-Hellman key exchange protocol of Fig- 
to ure 2 have been elaborated on by Bellovin and Merritt 
in the paper entitled "Encrypted Key Exchange: 
Password Based Protocol Secure Against Dictionary 
Attacks", proceedings of the IEEE Symposium On 
Research And Security And Privacy. 1992. which is 

15 also the subject matter of U.S.-A-5.241,599. issued 
on August 31 , 1993 to Bellovin et al., and which is en- 
titled "Cryptographic Protocol For Secure Communi- 
cations", both of which are incorporated herein by ref- 
erence fully. The broad concept behind the approach 

20 of Bellovin and Merritt is depicted in Figure 3. As is 
shown, communication partners A, B share a long- 
lived secret key a. Two communication flows are de- 
picted in Figure 3, although additional communica- 
tion flows are also possible. In the first communica- 

25 tion flow. A applies a randomly-selected and secret a 
(an authentication key picked from a fixed underlying 
group), as an exponent to the publically-known base 
g, and then applies an encryption of masking trans- 
form Ef} which is keyed with the long-lived and shared 

30 secret key a to the bit stream representative of g". In 
the second communication flow, communication 
partner B responds by applying a randomly-selected 
p as an exponent to the base g, and then applies a 
transform E.* to the bit stream which is generated by 

35 g^. In accordance with this technique, the key which 
has been generated as a result of this interaction is a 
which is equal to Hi(g*'P), for some function H^. In this 
protocol the transforms and can be exclusiv - 
or operations or any other masking operation. Utitiz- 

40 ing this technique Bellovin and Merritt have devised 
a protocol which can be utilized to periodically gener- 
ate short-lived session keys, in accordance with th 
Diffie-Hellman key exchange, which are secure 
against both active and passive adversaries. The in- 

45 formation contained in communication flows 1 and 2 
is not susceptible to eavesdropping, since the ex- 
changed data is encrypted with a transform which is 
keyed by the long-lived and shared secret key a, and 
is thus not susceptible to passive off-line attacks such 

50 as a dictionary attack. 

One embodiment of the present invention will be 
described now with reference to Figure 4. The pres- 
ent invention presents a security protocol which can 
be utilized to simultaneously obtain the following re- 

55 suits: 

(1) to allow for entity auth ntication between two 
or more parties in a communication system; 

(2) to mploy tags, in lieu of encryption, to ach- 
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ieve the entity authentication for messages corrv 
municated between the parties in a communica- 
tion system; 

(3) to allow the two or more parties In the commu- 
nication system to distribute a short-lived session 
key: and 

(4) wherein the objectives of entity authentication 
and session key distribution are accomplished in 
a minimal number of communication flows be- 
tween the multiple parties in the communication 
system, and which in particular is accomplished 
by a substantially simultaneous pursuit of the 
goals of entity authentication, and key distribu- 
tion in each particular data flow; and 

(5) wherein the communication system is secure 
from off-line attacks, and in particular is secure 
against dictionary attacks; and 

(6) wherein the security system provides perfect 
forward secrecy, preventing an adversary from 
utilizing knowledge of the long-lived key to com- 
promise the secrecy of recorded sessions. 

As is shown in Figure 4, this preferred embodi- 
ment requires three consecutive data flows between 
communication parties A, B, which share a long-lived 
secret a; however, in alternative embodiments, the 
objectives of the present invention could be achieved 
in a greater number of data flows, such as, for exanrv 
pie four or five data flows, by separating particular 
portions of the data flows for separate communica- 
tion. 

In the scenario of Figure 4. communication part- 
ner A is trying to pass Textl to communication part- 
ner B. Communication B will respond by directing 
Text2 to communication partner A. Then communica- 
tion partner A will reply to communication partner B 
by directing Texts to communication B. During this 
exchange of data, communication partners A. B want 
to make certain that each communication is being 
generated by an "authentic" source, and that the tex- 
tual message or data has not been altered in anyway 
by an adversary. They also want to distribute a fresh 
session key. to be used for subsequent message au- 
thentication and/or encryption. To accomplish these 
goals, in the first communication flow, communica- 
tion partner A directs Textl and an encrypted or 
otherwise masked bit stream to communication part- 
ner B. More specifically, communication partner A 
selects a, in accordance with the Diffie-Hellman key 
exchange which is depicted in Figure 2, and descri- 
bed above, a is selected at random between 0 and p- 
2 from the multiplicative group of integers modulo p. 
The randomly-selected a is applied as an exponent to 
a publically-known base g. and the numeric value of 
g« is subject to transform E^ which is keyed with the 
long-lived and shared secret key a' which can com- 
prise an exdusive-or operation performed utilizing ga 
and the long-lived and shared key a. In the communi- 
cation flow this operation is represented as EJ. 



Therefore, the first flow of a conventional secret key 
exchange is masked in accordanc with the trans- 
form E,^ 

In the second communication flow, communica- 

5 tion partner B directs to communication partner A a 
textual portion Text2, and two other components. 
The first component is a second flow of a convention- 
al key exchange, such as the Diffie-Hellman key ex- 
change model. More specifically, communication 

10 partner B randomly selects p from the set of integers 
from which a was selected. The randomly-selected p 
is applied as an exponent to the publically-known 
base g. The numeric value of g^* may be subjected to 
transform E* which is keyed by the long-lived and 

IS shared secret key a and which is thus represented in 
communication flow 2 as E.^. The second component 
is the result of applying masking transform h^ which 
is keyed with the long-lived and shaved secret key a. 
and which is applied to a plurality of parameters in- 

20 eluding an identification of communication party B. 
an identification of communication party A, the tex- 
tual portion Textl which was transmitted in the first 
data flow, the textual portion Text2 which was trans- 
mitted in the second data flow, and the masked ex- 

25 change of key portions defined by EaMg**). and 
Ea2(gP). Additionally, a is also the subject of the trans- 
form of ha^ o is defined, in accordance with the Dif- 
fie-Hellman protocol of Figure 2, as g°P mod p. 
In this manner, in the first two communication 

30 flows, communication partners A, B. exchange two 
textual portions, as well as two flows which together 
define the short-lived (session) key which is defined 
as ct; however, the key flows are masked to render 
them useless to an adversary who does not have ac- 

35 cess to the long-lived and shared secret key a. In th 
second communication flow, the bit stream generat- 
ed by transform h^* serves a dual function: to perform 
a message authentication procedure on the data of 
Textl and Text2. and to. authenticate communication 

40 partner B to communication partner A (by having the 
encryption transform be applied to a group of para- 
meters which includes a or a). 

In the third communication flow, textual portion 
Text3 is communicated by communication partner A 

45 to communication partner B. Additionally, masking 
transform is keyed with the long-lived and shared 
secret key a, and is applied to at least three parame- 
ters, including the transformed composite key portion 
gP, which is subjected to the transform in accordance 

50 with Ea^, the textual portion Text3, and a which rep- 
resents the session key. As a result of this third com- 
munication flow, communication partner A has au- 
thenticated herself to communication partner B by in- 
cluding a in the parameters which are subjected to the 

55 encryption transform h.^i Simultaneously, the data 
contained in T xt3 is assured to be accurate, since 
transform h.* operates as a message authentication 
transform. 
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In the preferred embodiment of the pres nt inven- 
tion, a plurality of conventional transforms may be 
utilized to perform the ncryption or masking trans- 
form function of the transforms E^ E^, h^ and h^. For 
example, the encryption or masking transform of E,^ 
could be the exclusive-oring of the long-lived and se- 
cret shared key a against g°. The exclusive-oring of 
the long-lived and shared secret key a against the bit 
stream of coutd be utilized as the masking trans- 
form E^. 

The encryption or masking transforms and 
are preferably either (1) a message authentication 
code operation, which is keyed by the long-lived and 
shared secret key a applied to a plurality of parame- 
ters including a or a composite key portion, or (2) a 
cryptographic hash function which is keyed with the 
long-lived and shared secret key a and applied to a 
plurality of parameters including the composite ses- 
sion key a or a portion of the composite session key, 
or (3) the encryption or message authentication code 
k yed by the long-lived key a and taken over the cryp- 
tographic hash of a plurality of parameters. 

In the preferred embodiment of the present inven- 
tion, transforms h.^ and h,^ are either conventional 
message authentication code techniques or conven- 
tional hash functions. Many mechanisms are avail- 
able to accomplish the objectives of message authen- 
tication code operations, but some of the principal 
ones include: 

(1) the prefix of the last word of the CBC-encryp- 
tion using a block cipher a (that is. cipher block 
chaining) of a particular bit stream under a long- 
lived and secret key a. denoted as "CBCaC(x)"; 

(2) the prefix of the cryptographic hash of a par- 
ticular bit stream and the long-lived and shared 
secret key a. denoted as "hash (x, a)"; 

(3) a combination of the operation of No. 1 and 
the operation of No. 2 to drive the prefix of a ciph- 
er block chaining operation which is performed 
upon a cryptographic hash function of operation 
No. 2. which is denoted "CBCa(hash(x,a)): and 

(4) a combination of a hash operation and an en- 
cryption operation (such as the DES algorithm) 
which can be denoted as "Encryption {hash(x))". 

MESSAGE AUTHENTICATION CODE 
OPERATIONS 

Message authentication codes (MACs) are util- 
ized in cryptography to assure the authenticity of 
communications. These types of operations are fre- 
quently referred to as "message authentication oper- 
ations". Typically, message authentication opera- 
tions permit a receiver to validate a message's origin 
and destination, contents, timeliness, and sequence 
relative to other messages flowing between commu- 
nicants. 

While a variety of algorithms may serv to per- 



form the method authentication code (MAC) opera- 
tions, the best known and fficial scheme is docu- 
mented in the DES MODES OF OPERATION public- 
ation, more specifically identified as the Federal In- 

5 formation Processing Standards Publication, FIPS 
PUB 81, published by the National Bureau of Stan- 
dards on December 2. 1980. Preferably, the Cipher 
Block Chaining (CBC) mode is used to encrypt plain- 
text, which must be padded (for example, with zero 

10 bits) if necessary to make it a multiple of sixty-four 
bits in length. The MAC consists of the last k bits of 
cyphertext, the rest of which is discarded. This proc- 
ess is discussed in an article by C. H. Meyer and S. 
M. Matyas. entitled "Cryptography: A New Dimension 

15 in Computer Data Security", published by John Wiley 
& Sons, of New York, in 1982. The utilization of the 
DES algorithm in the Cipher Block Chaining mode of 
operation demonstrates a well-established forward 
error propagating property; therefore, the change of 

20 even so much as a single bit in the plaintext would 
cause an unpredictable change in every bit in the 
MAC with the probability of fifty percent for each bit. 
Utilizing a MAC which is k-bits long, and the MAC is 
transmitted along with the associated message to be 

25 authenticated, and that portion is recomputed on the 
received message at the destination, then there is 
only a probability of 2- that the received MAC match- 
es the recomputed MAC in the event that the trans- 
mitted message has been tampered with. This prob- 

30 ability can be made as small as desired by choosing 
k sufficiently large. 

In the preferred embodiment of the present inven- 
tion, the Cipher Block Chaining operation is utilized to 
generate the message authentication code (MAC). 

35 The DES operation which is utilized in the Cipher 
Block Chaining is keyed with a particular secret key. 
In the embodiment discussed herein the keying of the 
message authentication code (MAC) operation with a 
secret key ensures that the authentication tag pro- 

40 duced as a result of the message authentication code 
operation serves to authenticate the one or more 
communication parties. 

An article published in the September 1985 issue 
of IEEE Communications Magazine, Volume 23. No. 

45 9, entitled "Message Authentication" by R. R. Juene- 
man, S. M. Matyas. and C. H. Meyer sets forth alter- 
natives to the Cipher Block Chaining operation, and 
is incorporated herein fully as if set forth. 

50 APPLICATIONS OF THE AUTHENTICATION 
PROTOCOLS 

The protocols of the present invention may be 
utilized in a distributed data processing system to au- 
55 thenticate one or more communication partners in the 
distribut d data processing system. In such an nvir- 
onment, one or more data processing units perform 
the functions of the trusted intermediary. Figur 5 



BNSOOCIO: <EP 0661844A2J_> 



13 



EP 0 661 844 A2 



14 



depicts a distributed data processing system 8 which 
may be programmed to perform the protocols descri- 
bed herein. 

As is shown in Figur 5. distributed data process- 
ing system 8 may include a plurality of networks, such 
as local area networks (LAN) 10 and 32, each of 
which preferably includes a plurality of individual conrv 
puters 12, 30, respectively. Of course, those skilled in 
the art will appreciate that a plurality of intelligent 
work stations coupled to a host computer may be util- 
ized for each such network. As is common in such dis- 
tributed data processing systems, each individual 
computer may be coupled to a storage device 14 
and/or a printer/output device 16. One or more such 
storage devices 14 may be utilized to store various 
"groupware" applications or documents which may be 
simultaneously or successively accessed and proc- 
essed by multiple users. Furthermore, one or more 
systems may be included for managing data process- 
ing resources, including the groupware applications 
and documents, in accordance with conventional 
technologies. 

Stiil referring to Figure 5, it may be seen that dis- 
tributed data processing network 8 may also include 
multiple mainframe computers, such as mainframe 
computer 18, which may be preferably coupled to lo- 
cal area network (l-AN) 10 by means of communica- 
tions link 22. Mainframe computer 18 may be coupled 
to a storage device 20 which may serve as remote 
storage for local area network (LAN) 10 and may be 
coupled via communications controller 26 and com- 
munications link 34 to a gateway server 28. Gateway 
server 28 is preferably an individual computer or in- 
telligent work station (IWS) which serves to link local 
area network (LAN) 32 to local area network (LAN) 
10. 

As discussed above with respect to local area 
network (LAN) 32 and local area network (LAN) 10, 
a plurality of data objects, application programs, and 
data files, groupware programs, or groupware docu- 
ments may be stored within storage device 20 and 
controlled by mainframe computer 18, as resource 
manager or library service for the data objects and 
documents thus stored. Those skilled in the art will 
appreciate that it is often desirable to permit simulta- 
neous or successive, as well as restricted, access to 
such data objects, application programs, data files, 
groupware applications, or groupware documents to 
allow for the beneficial synergistic effects of group 
work. Additionally, those skilled ii*. the art will appre- 
ciate that mainframe computer 18 may be located a 
great geographical distance from local area network 
(LAN) 10; and, similarly, local area network (LAN) 10 
may be located a substantial distance from local area 
network (LAN) 32. That is, local area network (LAN) 
32 may be located in California, while local area net- 
work (LAN) 10 may be located in Texas, and main- 
frame computer 18 may be located in New York. 



OTHER SIGNIFICANT ADVANTAGES 

While the above described arrangement provides 
a secure and efficient means for authenticating com- 

5 munication partners and simultaneously distributing 
short-lived session keys to the communication part- 
ners, it also includes several significant advantages. 
"Perfect forward secrecy" is provided. This means 
thaL if an adversary comes into possession of the 

10 long-lived secret key, then short-lived session keys 
which were distributed utilizing the long-lived secret 
key are not compromised. In other words, knowledge 
or possession of the long-lived key will not yield the 
adversary any advantage with regard to short-lived 

IS keys. Therefore, recorded sessions cannot be 
"cracked" unless the short-lived session key is also 
within the knowledge or possession of the adversary. 
One significant additional advantage is that the pro- 
tocol is completely secure against "interleaving at- 

20 tacks", wherein an adversary poses as a communica- 
tion partner to engage multiple communication part- 
ners, successively or sequentially, in order to obtain 
a sufficient amount of information from one particular 
party, and then use that information to gain an advan- 

25 tage against another communication party. This type 
of interleaving attack is typically referred to in litera- 
ture as an "session" attack. In its most common form, 
the active adversary initiates communication with 
two different communication partners, and uses com- 

30 munications received from one partner to enter into a 
key exchange with another partner. The present em- 
bodiment is completely secure against this type of at- 
tack. 

While the invention has been particularly shown 
35 and described with reference • • ■ preferred embodi- 
ment, it will be understood h :i e skilled in the art 
that various changes in forrr : i retail may be made 
therein without departing f rc; !; 3 scope of the inven- 
tion, 

40 

Claims 

1. A method for authenticating a communication 
45 partner in an insecure communication channel in 

a data processing system wherein authenticity of 
communication partners is determined by pos- 
session of a long-lived shared secret key, com- 
prising the method ster s of : 
50 (a) exchanging data flows between communi- 

cation partners, to define a composite key, 
wherein at least a portion of said data flows 
has been encrypted or otherwise masked in a 
manner which utilizes said long-lived shared 
55 secret key; 

(b) passing at least one authentication tag, 
which is based at least partially upon said 
composite key. between said communication 
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partners; and 

(c) utilizing said authentication tag to deter- 
mine authenticity of at least one communica- 
tion partner. 

2. A method as claimed in Claim 1 : 

(d) wherein a first communication partner di- 
rects to a second communication partner a 
first exponential component of said compo- 
site key; 

(e) wherein said second communication part- 
ner directs to said first communication partner 
a second exponential component of said com- 
posite key. 

3. A method as claimed in Claim 2: 

(f) wherein said first exponential compo- 
nent includes a public base and a random and se- 
cret exponent selected by said first communica- 
tion partner from a defined group of integers. 

4. A method as claimed in Claim 2 or Claim 3: 

(f) wherein said second exponential com- 
ponent includes a public base and a random and 
secret exponent selected by said second commu- 
nication partner from a defined group of integers. 

5. A method as claimed in any of claims 2, 3 or 4: 

(f) wherein said first exponential component 
includes a public base and a random and se- 
cret exponent selected by said first communi- 
cation partner from a defined cyclic multipli- 
cative group of integers; and 

(g) wherein said second exponential compo- 
nent includes a public base and a random and 
secret exponent selected by said second 
communication partner from a defined cyclic 
multiplicative group of integers. 

6. A method as claimed in any preceding claim: 

(d) wherein each of said at least one au- 
thentication tag is defined by a transform includ- 
ing at least one of (a) a message authentication 
code, which is keyed by said long-lived shared 
secret key and taken over a plurality of parame- 
ters; and (b) a cryptographic hash function taken 
over said long-lived shared secret key and a plur- 
ality of other parameters; and (c) a masking op- 
eration involving said long-lived shared secret 
key. 

7. A method as claimed in any preceding claim: 

(e) wherein a first communication partner di- 
rects to a second communication partner a 
first authentication tag which allows said sec- 
ond communication partner to authenticate 
said first communication partner; and 

(f) wherein said second communication part- 



ner directs to said first communication partner 
a second authentication tag which allows said 
first communication partner to authenticate 
said s cond communication partner. 

5 

8. A method as claimed in claim 7: 

(g) wherein at least one of said first and 
second authentication tags is communicated be- 
tween said first and second partners concurrent 
10 with data flows which establish said composite 

key. Whereby the number of communication 
flows between said first and second communica- 
tion partners is minimised. 

15 9. A method as claimed in any preceding claim. 

wherein said step of exchanging data flows in- 
cludes the steps of: 

computing, in behalf of a first communica- 
tion partner, a value for g a for a particular g and 

20 a value for a secretly selected from a predefined 

group; 

computing, on behalf of a second commu- 
nication partner, a value for g p for said particular 
g and a value for p secretly selected from a pre- 
25 defined group; 

communicating said value for g p from said 
first communication partner to said second com- 
munication partner, 

communicating said value for g p from said 
30 second communication partner to said first com- 

munication partner 

generating a short-lived shared secret key 
g a p for use in securing communications be- 
tween said first and second communication part- 
35 ners over said insecure communication channel. 

10. A method as claimed in Claim 9, comprising: 

masking said value for g a and g p during 
communications between said first and second 
40 communication partners. 

11. A method as claimed in Claim 10, wherein said 
step of masking comprises: 

masking said value for g a by performing 
45 a masking operation between said value for g a 

and a shared secret key; 

masking said value for g P by performing 
a masking operation between said value for g p 
and a shared secret key. 

50 

12. Apparatus for authenticating a communication 
partner in an insecure communication channel in 
a data processing system wherein authenticity of 
communication partners is det rmined by pos- 

55 session of a long-lived shared secret key. c m- 

prising: 

(a) means for exchanging data flows b tween 
communication partners, t define a compo- 

9 
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site key, wherein at least a portion of said data 
flows has been encrypted or otherwise 
masked in a manner which utilizes said long- 
lived shared secret key; 

(b) means for passing at least one authentica- s 
tion tag. which is based at least partially upon 
said composite key. between said communi- 
cation partners; and 

(c) means for utilizing said authentication tag 

to determine authenticity of at least one conv io 
munication partner. 
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